USA DATA PROCESSING ADDENDUM
THIS USA DATA PROCESSING ADDENDUM APPLIES IF USA PRIVACY LAWS APPLY TO THE PROCESSING OF PERSONAL DATA IN THE CONTEXT OF THE AGREEMENT.
All capitalized terms are not defined in this USA Data Processing Agreement (“USA DPA”) shall have the meaning given in the remainder of the Master Terms and Conditions for the Supply of Services and Equipment which incorporates this USA DPA by reference.
In consideration of the mutual obligations set forth in this USA Data Processing Addendum, and for other valuable consideration, the sufficiency of which is acknowledged, PWFL and Customer hereby enter into this USA Data Processing Addendum.
In providing the Services pursuant to the Agreement, PWFL may Process certain Personal Information on behalf of Customer (“Customer Personal Data”). The Parties acknowledge that this USA DPA reflects the Parties’ agreement with regard to the Processing of Customer Personal Data, and the Parties shall comply with this USA DPA with respect to all Customer Personal Data.
-
Definitions
-
“Business”, ”Business Purpose“, “Sell”,
“Service Provider” and “Share” have the meaning ascribed to
them in the CCPA.
-
“Data Subject” means an identified, or identifiable, natural
person to whom Personal Information relates.
-
”Personal Information” means any information that identifies, relates to, describes, or is
reasonably capable of being associated with, or could reasonably be linked, directly or
indirectly, with a particular person or household, or is otherwise “personal data,” “personal
information,” “personally identifiable information,” or similar designation under and
regulated by Privacy Law.
-
“Privacy Law” means all applicable federal, state, territorial, and local laws, rules, directives, regulations,
and governmental requirements currently in effect, or as they become effective, relating in any way to the
privacy, confidentiality, or security of Personal Information, including, to the extent relevant, the California
Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer
Data Privacy Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the
Children’s Online Privacy Protection Act, and any laws implementing, replacing or supplementing any of them, as
amended, consolidated, re-enacted, or replaced from time to time.
-
“Process(ing)” means the collection, use, modification, storage, disclosure and any other activity
with respect to Personal Information that is governed by Privacy Law.
-
“Services” for the purposes of interpreting this USA DPA only, means Services (as defined in the Master Terms) and
also includes Purchased Equipment for the purposes of interpreting this USA DPA only.
-
“Specified Business Purpose” means the Business Purpose(s) for Processing Personal Information, which are the
Services described in the Agreement.
-
Processing of Personal Information.
-
Relationship of the Parties. PWFL is the data processor and Service Provider Processing Customer
Personal Data on behalf of the Customer, which is the Business and data controller for Customer
Personal Data.
-
Processing Instructions. Customer has the sole right to give PWFL instructions regarding
the Processing of Customer Personal Data. Customer hereby instructs PWFL to Process Customer
Personal Data to the extent required to provide the Services. If complying with an instruction
by Customer could, in PWFL’s reasonable opinion, potentially cause a breach by PWFL or Customer
of this USA DPA or Privacy Law, PWFL may notify Customer in writing and suspend execution of the
instruction until PWFL receives written confirmation from Customer that compliance by PWFL with
the instruction would not breach this USA DPA or Privacy Law.
-
Customer Obligations. Customer covenants, represents, and warrants that: (i) Customer is
solely responsible for complying with Privacy Law in regards to its role as a Business and data
controller for Customer Personal Data; (ii) Customer has collected and obtained, and shall
Process, Customer Personal Data in compliance with Privacy Law; and (iii) Customer providing
Customer Personal Data to PWFL pursuant to the Agreement will not cause PWFL to be in violation
of applicable law, including Privacy Law. For the avoidance of doubt, Customer’s instructions
for the Processing of Customer Personal Data comply, and shall comply, with Privacy Law.
In addition, Customer is solely responsibility for the accuracy, quality, and legality of
Customer Personal Data and the means by which Customer acquired Customer Personal Data.
-
PWFL Obligations. PWFL will comply with all applicable Privacy Law and only Process Customer
Personal Data in accordance with the instructions provided by Customer, including the instructions
in this USA DPA, and as otherwise required by applicable law.
-
California Specific Obligations. To the extent Customer Personal Data contains
any data regulated by the CCPA, PWFL certifies, as a Service Provider to Customer, that
it understands, and will comply with, the applicable restrictions set forth in the CCPA
and agrees that:
-
PWFL will Process all Customer Personal Data on behalf of Customer only and that Customer
is disclosing Customer Personal Data to PWFL only for the Specified Business Purpose;
-
PWFL is prohibited from retaining, using, or disclosing Customer Personal Data for any
purpose other than for the Specified Business Purpose, including, without limitation,
from retaining, using, or disclosing such Customer Personal Data (A) for a purpose other
than the Specified Business Purpose or (B) outside of the direct business relationship
between the relevant Data Subject and the Customer (and PWFL on behalf of Customer);
-
PWFL will not further collect, use, or disclose Customer Personal Data except as necessary
to provide and maintain the Services;
-
PWFL will not Sell or Share Customer Personal Data for any reason;
-
PWFL will not, unless otherwise necessary due to the Specified Business Purpose or
applicable law, combine Customer Personal Data with Personal Information it (A) receives
from or on behalf of another person or third party or (B) collects from its own interactions
with the applicable Data Subject;
-
PWFL will promptly notify Customer if PWFL determines it can no longer meet any of its
obligations under this USA DPA;
-
If Customer believes PWFL is collecting, using, Processing, or sharing Customer Personal
Data in a manner inconsistent with the Agreement (an “Unauthorized Use”), then PWFL will,
upon receiving written or oral notice from Customer, cease all Processing, of Customer
Personal Data; and
-
PWFL will provide Customer with reasonable assistance and work with Customer in good faith
in order to fully resolve and remediate the Unauthorized Use.
-
PWFL will Process all Customer Personal Data on behalf of Customer only and that Customer
is disclosing Customer Personal Data to PWFL only for the Specified Business Purpose;
Notwithstanding the foregoing, PWFL is permitted to use Customer Personal Data as expressly permitted under the exceptions to Service Provider use restrictions under the CCPA.
-
Data Protection and Security
-
Reliability and Confidentiality. PWFL will take commercially reasonable steps to
ensure the reliability of any person authorized to Process Customer Personal Data
and ensure that such persons have committed themselves in writing to confidentiality
or are under an appropriate obligation to ensure confidentiality and comply with
Privacy Law.
-
Security Measures. PWFL will keep Customer Personal Data confidential, and
implement and maintain (and require any Subprocessors that have access to
Customer Personal Data to maintain) a comprehensive, effective, and documented
information security program appropriate to the nature of Customer Personal
Data that: (i) contains administrative, technical, and physical safeguards
to identify, assess and protect against any reasonably foreseeable, anticipated,
or actual threats or hazards to the security or integrity of Customer Personal
Data (“Information Security Measures”), (ii) is compliant with Privacy Law.
PWFL will (i) proactively monitor and review the scope of Information Security
Measures on a regular basis, and (ii) implement additional Information Security
Measures to control the risks PWFL identifies through the monitoring and
reviews described in (i).
-
Incident Notification and Management
-
Breach Notification. PWFL will notify Customer without undue delay after the
confirmation of any breach of security that resulted in the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or unauthorized access
to Customer Personal Data transmitted, stored, or otherwise Processed by PWFL or
any of its Subprocessors (“Security Breach”).
-
Breach Assistance. PWFL will provide assistance with any obligation of Customer
under Privacy Law, as reasonably requested, including to make notifications, regarding
the Security Breach. PWFL will not make any statement or notification to any Data
Subject, regulatory authority, or otherwise, regarding the Security Breach without
the prior written approval of Customer unless otherwise required by applicable law.
-
Rights of the Data Subjects.
Customer has the sole discretion in responding to rights asserted by the Data
Subjects. PWFL will forward to Customer any requests by Data Subjects relating
to the Processing of Customer Personal Data by PWFL. PWFL will assist Customer, at
Customer’s cost, in fulfilling any rights of the Data Subjects to the extent these
rights relate to the Processing of Customer Personal Data by PWFL.
-
Data Return or Deletion.
Upon termination or expiration of the Agreement, PWFL
will securely return or delete, at Customer’s discretion, all Customer Personal
Data, including all existing copies, unless the country’s laws to which PWFL is
subject to require a longer retention period.
-
Data Protection Assessments.
PWFL shall provide assistance, upon Customer’s request, with any obligation of
Customer under Privacy Law to conduct or document any data protection assessments
relating to the Processing of Customer Personal Data and, where necessary, consultations
with regulatory authorities in connection with the Processing of Customer Personal Data.
-
Subprocessors
-
Appointment of Subprocessors.
Where PWFL engages another party to Process Customer Personal Data (a “Subprocessor”):
-
obligations providing for at least for an equal level of data protection, as established by
this USA DPA, will be imposed on that Subprocessor by way of a written contract, such as a
data processing agreement; and
-
PWFL will remain responsible to Customer for the performance of that Subprocessor’s obligations
to the same extent as PWFL would be responsible if performing the services of the Subprocessor
under the terms of this USA DPA.
-
obligations providing for at least for an equal level of data protection, as established by
this USA DPA, will be imposed on that Subprocessor by way of a written contract, such as a
data processing agreement; and
-
List of Current Subprocessors.
PWFL may continue to use the Subprocessors already engaged by
PWFL. Upon reasonable request, PWFL shall make available to Customer a list of current
Subprocessors being utilized.
-
Notification of New Subprocessors and Objection Right.
PWFL will notify Customer of any
material, proposed changes to its Subprocessors. PWFL will provide such notification at
least twenty (20) days before engaging any new Subprocessor to Process Customer Personal
Data. Customer may reasonably object in good faith to PWFL’s use of a new Subprocessor by
notifying PWFL promptly in writing within three (3) days of receipt of PWFL’s notice. If
Customer objects to a new Subprocessor as permitted, PWFL will use reasonable efforts to
make available to Customer a change in the Services or recommend a commercial reasonable
change to Customer’s configuration or use of the Services to avoid Processing of Customer
Personal Data by the objected-to new Subprocessor. If PWFL is unable to make available such
change within a reasonable period of time, not to exceed sixty (60) days, Customer will be
entitled to terminate the affected Services, but only with respect to those Services which
cannot be provided by PWFL without the use of the objected-to new Subprocessor, by providing
written notice to PWFL.
-
Audits, Inspections, and Cooperation.
PWFL will make available to Customer, upon request, the information reasonably necessary to
demonstrate its compliance with this USA DPA. PWFL will provide assistance, as reasonably
requested by Customer, in connection with any audits or inspections by competent regulatory
authorities or government bodies to the extent such audit relates to the Processing of Customer
Personal Data under this USA DPA (each an “Audit”). In connection with Audits, PWFL will grant
Customer reasonable access to its business premises during PWFL’s regular business hours and
make available all information reasonably necessary to demonstrate compliance with this USA
DPA; provided, however, that such access shall be undertaken in a manner designed to cause
minimal interruption to PWFL’s business operations. Customer will notify PWFL, in writing, of
any such request for access relating to an Audit at least eight (8) weeks in advance. Customer
may not request access relating to an Audit more than once per calendar year unless otherwise
required by applicable Privacy Law.
-
Nothing in this document will be interpreted as placing a duty upon us to monitor or enforce the Customer’s activities and PWFL disclaims any liability as a result of a failure to do so, and consequent misuse of the Web Services is disclaimed.
-
Final Provisions
-
Conflicts.
In the case of any conflict or inconsistency between any of the terms or conditions of the
remainder of the Agreement (except for the Third Party Terms which with respect to Third Party
Services shall prevail over this USA DPA to the extent there is a conflict) or this USA DPA, the
terms or conditions of this USA DPA shall control.
-
Changes in Privacy Law.
The Parties shall negotiate in good faith any amendments to this USA DPA that are
necessary to reflect changes in Privacy Law.
-
Governing Law and Venue.
This USA DPA is subject to the laws of the jurisdiction as stated in the Master Agreement.
The Parties exclusively submit to the courts of the chosen jurisdiction as set out in the
Master Agreement.
-
Amendments.
Any amendments or supplements to, or termination of, this USA DPA must be in writing in order
to be legally effective, this requirement applies accordingly to any waiver of this written form
requirement. For the avoidance of doubt, any references to any written form requirement in this
USA DPA (e.g., “written” or “in writing”) include declarations and documents in electronic and
text form whether bearing a signature or not (e.g., emails, fax copies or scans).
-
Severability.
If a provision of this USA DPA is or becomes ineffective, in whole or in part, or if there is an
omission, the remaining provisions of this USA DPA shall remain unaffected. In place of the
ineffective provision, and to fill the omission, the Parties shall agree on a reasonable provision
which comes - to the extent legally possible - closest to what the Parties agreed or would have
agreed if they had considered this point.
[END OF USA DATA PROCESSING ADDENDUM]
Last Updated: May 5th, 2025
Corporate Hq
123 Tice Blvd. Suite 101
Woodcliff Lake, NJ 07677
Follow Us
©2025 Powerfleet. All Rights Reserved